Over the next five days, five senior compliance practitioners will answer questions on managing cyber-risk, how to best prevent and detect a data breach, and other data security and privacy topics. Today’s question:

What’s your role as CCO in creating/implementing cyber-security policies and procedures?

Meet the executives


Andrew Beagley


Chief Risk Officer


Years in compliance: 30




Kortney Nordrum 


Regulatory Counsel & CCO


Years in compliance: 7




Laurie Roberts


Founder and President

Cheatham Roberts Consulting

(Formerly Managing Director and CCO of Civitas Capital Group)

Years in compliance: 26+ 



KC Turan


SVP, Chief Risk, Compliance & Ethics Officer

UPMC Health & Insurance Services

Years in compliance: 20+



Steve Vincze


President & CEO

TRESTLE Compliance

Years in compliance: 25+



DISCLAIMER: The views reflected by the practitioners quoted are theirs alone and do not represent the views of their companies.

ANDREW BEAGLEY: At OptimEyes, I work with organizations to help map their cyber-security policies, procedures, and processes to fully automated risk frameworks which, in turn, identify and assess control vulnerabilities. We use risk standards such as CIS benchmarks and NIST and also organization-specific policies. We generate risk scores to quantify cyber-debt. These tools help organizations make policy and risk mitigation decisions.


KORTNEY NORDRUM: Our CISO and I are in constant communication and partner on so much of what we do. At my organization, I own privacy policies and procedures, and our CISO owns cyber-security policies and procedures. I’m in charge of making sure he and his team are aware of new laws and regulations that may impact cyber-security or our controls, and he lets me know when his new controls may intersect with my privacy program or policies. We consult each other frequently and have a standing agreement to always keep the other ‘in the loop.’ I’m lucky to work with a CISO who agrees that privacy and cyber-security are two-sides to the same (data protection) coin.

LAURIE ROBERTS: As a CCO, I have worked closely with IT professionals both internally and externally to create and implement cyber-security policies and procedures. As technology has evolved through the years, so has the regulatory environment. The regulators from the federal level down to the state level have been instrumental guiding cyber-security policies and procedures. A key component to effective creation of cyber-security policies and procedures is to involve members of all departments in the organization. In addition, utilizing a bottom-up risk assessment of the organization’s cyber-security policies will also strengthen the creation and development of the procedures. Implementation of policies and procedures begins with a good training program and regular reviews.


KC TURAN: It may depend on the company and industry, but I’m actively involved in developing and implementing cyber-security policies. Two of the integrated governance, risk, and compliance programs that report to me are privacy and data governance, both of which are closely aligned with our cyber-security program, which sits under IT but has a dotted line to me. Privacy, data governance, and cyber-security are strategically and operationally aligned, programmatically complementary, and mutually reinforcing. In our heavily regulated healthcare and insurance industry, we have fairly robust cyber-security regulatory requirements, which further couple and warrant synchronization between cyber-security, risk, compliance, and privacy.


STEVE VINCZE: The role of the CCO in creating and/or implementing cyber-security policies and procedures depends largely on whether the CCO is also the chief privacy officer (CPO) or not, which often is a function of the relative size and maturity of the company that employs them. For smaller, early-stage companies, it is more likely the CCO will also be the CPO. If so, the CCO/CPO should lead the creation and implementation of cyber-security policies and procedures to include associated training, monitoring, and auditing as part of a comprehensive privacy and data security program. If the CCO is a separate role and function from the CPO, the CCO should support the CPO and provide critical information about the specific operational circumstances where cyber-security issues and risk may arise. In either circumstance, collaboration, communication, and coordination with and between the CCO and CPO is imperative to bring the appropriate emphasis, awareness, and support to make these policies and procedures effective and responsive to the needs of the company. That’s the key: customizing and tailoring any such policies and procedures to the unique mix of operational activities and risk for that particular company. Any effective CCO should have a keen awareness and understanding for that dynamic.